BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
Cherry
Obsidian | Level 7

Hi,

currently we have created some sas internal user id's for a set of associates for special purpose to view few reports on SAS VA, we should not allow them to use external id's ( they are not in our AD group).

I would like to know is there any security issues raises when they use internal sas id's? if yes please elaborate them? also advise how to mitigate the risk?

Appreciate your help.

 

Thanks,

Cherry.

1 ACCEPTED SOLUTION

Accepted Solutions
andreas_lds
Jade | Level 19

@SASKiwi wrote:

[...]

 

Perhaps the biggest risk with SAS internal IDs is their passwords are static and there is no mechanism to have them expire automatically so they get changed on a regular basis. So to mitigate this risk you could have a policy of updating them on a regular basis. It is advisable to have these IDs stored in your company's password safe, so they aren't lost.


Automatic password expiration seems to be possible (using 9.4m5):

internal_acc_pw_exp.png

 

View solution in original post

4 REPLIES 4
SASKiwi
PROC Star

SAS internal IDs must have their passwords stored with them in a SAS metadata repository. These passwords are stored in an encrypted form. OS userids do not normally have passwords stored in SAS metadata, so from that perspective they are more secure.

 

Perhaps the biggest risk with SAS internal IDs is their passwords are static and there is no mechanism to have them expire automatically so they get changed on a regular basis. So to mitigate this risk you could have a policy of updating them on a regular basis. It is advisable to have these IDs stored in your company's password safe, so they aren't lost.

Cherry
Obsidian | Level 7

can we get the audit logs of sas internal id's activities? I mean can we track what they ( sas internal id's) are doing on sas?

 

 

Thanks,

Cherry. 

andreas_lds
Jade | Level 19

@SASKiwi wrote:

[...]

 

Perhaps the biggest risk with SAS internal IDs is their passwords are static and there is no mechanism to have them expire automatically so they get changed on a regular basis. So to mitigate this risk you could have a policy of updating them on a regular basis. It is advisable to have these IDs stored in your company's password safe, so they aren't lost.


Automatic password expiration seems to be possible (using 9.4m5):

internal_acc_pw_exp.png

 

SASKiwi
PROC Star

@andreas_lds  - Thanks for pointing that out. We use 9.4M2 and expiring internal accounts is possible in M2 as well.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 1074 views
  • 0 likes
  • 3 in conversation